upgrade cookie __Host- prefix to __Host-Http-

thestinger · thestinger · commit fd23e369a1da · 2026-03-06T21:00:45.000-05:00
__Host-Http- is a new cookie prefix forcing HttpOnly in addition to the
existing __Host- prefix requirements.
diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java
@@ -1298,7 +1298,7 @@ public void handlePost(final HttpExchange exchange) throws IOException, SQLiteEx
 
             final Base64.Encoder encoder = Base64.getEncoder();
             exchange.getResponseHeaders().set("Set-Cookie",
-                    "__Host-session=%d|%s; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=%d".formatted(
+                    "__Host-Http-session=%d|%s; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=%d".formatted(
                         session.sessionId, new String(encoder.encode(session.token)),
                         SESSION_LENGTH / 1000));
             exchange.sendResponseHeaders(200, -1);
@@ -1382,14 +1382,14 @@ private static String getCookie(final HttpExchange exchange, final String key) {
 
     private static void purgeSessionCookie(final HttpExchange exchange) {
         exchange.getResponseHeaders().set("Set-Cookie",
-                "__Host-session=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0");
+                "__Host-Http-session=; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=0");
     }
 
     private record Account(long userId, String username, byte[] subscribeKey, int verifyInterval, int alertDelay) {}
 
     private static Account verifySession(final HttpExchange exchange, final boolean end)
             throws IOException, SQLiteException {
-        final String cookie = getCookie(exchange, "__Host-session");
+        final String cookie = getCookie(exchange, "__Host-Http-session");
         if (cookie == null) {
             exchange.sendResponseHeaders(403, -1);
             return null;
